+#!/bin/sh
+
+set -e
+
+. ./common.sh
+
+set_name='xenophobe'
+chain="${set_name}"
+
+if [ $# -eq 1 -a "x$1" = "xremove" ]
+then
+ $IPTABLES -D INPUT -m set --match-set "${set_name}" src -j "${chain}" || echo "no rule '${set_name}' to remove"
+ $IP6TABLES -D INPUT -m set --match-set "${set_name}6" src -j "${chain}" || echo "no rule '${set_name}6' to remove"
+ $IPSET destroy "${set_name}" || echo "no set '${set_name}' to remove"
+ $IPSET destroy "${set_name}6" || echo "no set '${set_name}6' to remove"
+ exit 0
+fi
+
+create_set "${set_name}" hash:net
+create_set "${set_name}6" hash:net family inet6
+
+# create or re-init chains
+if ! $IPTABLES -L "${chain}" >/dev/null
+then
+ echo "initializing chain '${chain}'"
+ $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
+ $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+ $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable
+ $IPTABLES -v -L "${chain}"
+fi
+
+if ! $IP6TABLES -L "${chain}" >/dev/null
+then
+ echo "initializing chain '${chain}' ipv6"
+ $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}"
+ $IP6TABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+ $IP6TABLES -A "${chain}" -j REJECT --reject-with icmp6-port-unreachable
+ $IP6TABLES -v -L "${chain}"
+fi
+
+if ! $IPTABLES -C INPUT -m set --match-set "${set_name}" src -j "${chain}" >/dev/null 2>&1
+then
+ echo "initializing rule '${set_name}'"
+ $IPTABLES -I INPUT -m set --match-set "${set_name}" src -j "${chain}"
+fi
+
+if ! $IP6TABLES -C INPUT -m set --match-set "${set_name}6" src -j "${chain}" >/dev/null 2>&1
+then
+ echo "initializing rule '${set_name}6'"
+ $IP6TABLES -I INPUT -m set --match-set "${set_name}6" src -j "${chain}"
+fi
+
+# init new temporary set
+if [ -e "${set_name}.cidr" ]
+then
+ echo "updating set '${set_name}'"
+ $IPSET create "${set_name}-tmp" hash:net
+ for s in $(decommentcat "${set_name}.cidr" | grep '\.')
+ do
+ $IPSET add "${set_name}-tmp" "${s}"
+ done
+ $IPSET swap "${set_name}-tmp" "${set_name}"
+ $IPSET destroy "${set_name}-tmp"
+ $IPSET list -t "${set_name}"
+
+ echo "updating set '${set_name}'"
+ $IPSET create "${set_name}6-tmp" hash:net family inet6
+ for s in $(decommentcat "${set_name}.cidr" | grep '\:')
+ do
+ $IPSET add "${set_name}6-tmp" "${s}"
+ done
+ $IPSET swap "${set_name}6-tmp" "${set_name}6"
+ $IPSET destroy "${set_name}6-tmp"
+ $IPSET list -t "${set_name}6"
+fi
+